Image Credits: David Paul Morris/Bloomberg
Google’s security research unit is sounding the alarm about a series of vulnerabilities it has found in certain Samsung chips included in dozens of Android models, wearables and vehicles, fearing the flaws could be quickly discovered and exploited.
In a blog post, Google’s Project Zero head Tim Willis said that its internal security researchers have found and reported 18 zero-day vulnerabilities in Exynos modems manufactured by Samsung in recent months, including four very serious flaws that could put affected devices at risk. . silently and remotely” via the mobile network.
“Testing conducted by Project Zero confirms that these four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level without user intervention, and only that the attacker knows the victim’s phone number,” said Willis.
Gaining the ability to remotely execute code at a device’s baseband level — essentially the Exynos modems that convert cell signals into digital data — could allow an attacker virtually unfettered access to the data flowing in and out of an affected device. streams, including mobile calls, text messages and mobile data, without alerting the victim.
As revelations go, it’s rare for Google — or any other security research firm — to sound the alarm about very serious vulnerabilities before they’re patched. Google pointed out the risk to the public, stating that skilled attackers could “quickly pull off an operational exploit” with limited investigation and little effort.
Project Zero researcher Maddie Stone wrote on Twitter that Samsung had 90 days to patch the bugs, but hasn’t done so yet.
Samsung confirmed in a March 2023 security listing that several Exynos modems are vulnerable, affecting several Android device manufacturers, but provided few further details.
According to Project Zero, affected devices include nearly a dozen Samsung models, Vivo devices, and Google’s own Pixel 6 and Pixel 7 handsets. Affected devices also include wearables and vehicles that rely on Exynos chips to connect to the cellular network.
Google said patches vary depending on the manufacturer, but noted that its Pixel devices have already been patched with the March security updates.
Until affected manufacturers push software updates to their customers, Google said users who want to protect themselves can disable Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, which removes “the exploit risk of these vulnerabilities.”
Google said the remaining 14 vulnerabilities were minor because they required access to a device or insider or privileged access to a mobile carrier’s systems.